b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n             Information Technology Management \n \n\n            Letter for the Federal Law Enforcement \n \n\n               Training Center Component of the \n \n\n               FY 2010 DHS Financial Statement \n \n\n                              Audit \n \n\n\n\n\n\nOIG-11-76                                            April 2011\n\x0c                                                                                     Office of Inspector General\n\n                                                                        u.s.   Department ofHome/and Security\n                                                                                        Washington, DC 25028\n\n\n\n\n                                                                          Homeland\n                                                                          Security\n                                         AP~   Zt) 2011\n\n                                               Preface\n\nThe Department of Homeland Security (DHS) Office ofInspector General (DIG) was established\nby the Homeland Security Act of2002 (Public Law 107-296) by amendment to,the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the FY 2010 Federal\nLaw Enforcement Training Center (FLETC) component of the DHS financial statement audit as of\nSeptember 30, 2010. It contains observations and recommendations related to information\ntechnology internal control that were summarized in the Independent Auditor\'s Report dated\nNovember 12, 2010 and presents the separate restricted distribution report mentioned in that\nreport. The independent accounting firm KPMG LLP (KPMG) performed the audit procedures\nat the FLETC component in support of the DHS FY 2010 financial statements and prepared this\nIT management letter. KPMG is responsible for the attached IT management letter dated March\n18,2011, and the conclusions expressed in it. We do not express opinions on DHS\' financial\nstatements or internal control or conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n                                  ~  Assistant Inspector General\n \n\n                                     Information Technology Audits\n \n\n\x0c                                  KPMG LLP\n                                  2001 M Street, NW\n                                  Washington, DC 20036-3389\n\n\n\n\nMarch 18, 2011\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nFederal Law Enforcement Training Center\n\nLadies and Gentlemen:\nWe were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment), as of September 30, 2010 and the related statement of custodial activity for the year then\nended (herein after referred to as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were also engaged to examine the\nDepartment\xe2\x80\x99s internal control over financial reporting of the balance sheet as of September 30, 2010 and\nthe statement of custodial activity for the year then ended. We were not engaged to audit the statements\nof net cost, changes in net position, and budgetary resources as of September 30, 2010 (hereinafter\nreferred to as \xe2\x80\x9cother fiscal year (FY) 2010 financial statements\xe2\x80\x9d), or to examine internal control over\nfinancial reporting over the other FY 2010 financial statements.\nBecause of matters discussed in our Independent Auditors\xe2\x80\x99 Report, dated November 12, 2010, the scope\nof our work was not sufficient to enable us to express, and we did not express, an opinion on the financial\nstatements or on the effectiveness of DHS\xe2\x80\x99 internal control over financial reporting of the balance sheet as\nof September 30, 2010, and related statement of custodial activity for the year then ended. Additional\ndeficiencies in internal control over financial reporting, potentially including additional material\nweaknesses and significant deficiencies, may have been identified and reported had we been able to\nperform all procedures necessary to express an opinion on the financial statements or on the effectiveness\nof DHS\xe2\x80\x99 internal control over financial reporting of the balance sheet as of September 30, 2010, and\nrelated statement of custodial activity for the year then ended; and had we been engaged to audit the other\nFY 2010 financial statements, and to examine internal control over financial reporting over the other FY\n2010 financial statements.\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent, or detect and correct\nmisstatements on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe than a material weakness, yet important enough to merit\nattention by those charged with governance. A material weakness is a deficiency, or a combination of\ndeficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of\nthe entity\xe2\x80\x99s financial statements will not be prevented, or detected and corrected on a timely basis.\nThe Federal Law Enforcement Training Center (FLETC) is a component of DHS. During our audit\nengagement, we noted certain matters in the areas of information technology (IT) configuration\nmanagement, access controls, and security management with respect to FLETC\xe2\x80\x99s financial systems\ninformation technology (IT) general controls, which we believe contribute to an IT material weakness at\nthe DHS level. These matters are described in the IT General Control Findings and Recommendations\nsection of this letter.\n\n\n\n   Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n\n                                Financial Statement Audit\n\n                                    KPMG LLP is a Delaware limited liability partnership,\n                                    the U.S. member firm of KPMG International Cooperative\n                                    (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 12, 2010. This letter represents the separate limited distribution letter mentioned in that report.\nThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through a Notice of Finding and Recommendation (NFR).\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or detect and\ncorrect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to\nthe risk that controls may become inadequate because of changes in conditions, or that the degree of\ncompliance with the policies or procedures may deteriorate. We aim to use our knowledge of FLETC\ngained during our audit engagement to make comments and suggestions that are intended to improve\ninternal control over financial reporting or result in other operating efficiencies. We have not considered\ninternal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key FLETC financial systems and IT infrastructure within the scope of our engagement to\naudit the FY 2010 DHS financial statements in Appendix A; a listing of the FY 2010 IT Notices of\nFindings and Recommendations (NFR) at FLETC in Appendix B; and the status of the prior year NFRs\nand a comparison to current year NFRs at FLETC in Appendix C. Our comments related to certain\nadditional matters have been presented in a separate letter to the Office of Inspector General and the\nFLETC Chief Financial Officer.\n\nFLETC\xe2\x80\x99s written response to our comments and recommendations has not been subjected to auditing\nprocedures and, accordingly, we express no opinion on it.\n\nThis communication is intended solely for the information and use of DHS and FLETC management,\nDHS Office of Inspector General, Office of Management and Budget (OMB), U.S. Government\nAccountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone\nother than these specified parties.\n\nVery truly yours,\n\n\n\n\n   Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n \n\n                                Financial Statement Audit\n \n\n\x0c                               Department of Homeland Security\n \n\n                          Federal Law Enforcement Training Center \n \n\n                           Information Technology Management Letter\n                                      September 30, 2010\n\n\n\n\n                INFORMATION TECHNOLOGY MANAGEMENT LETTER\n                                      TABLE OF CONTENTS\n                                                                                                   Page\nObjective, Scope, and Approach                                                                      1\n \n\n\n\nSummary of Findings and Recommendations                                                             3\n \n\n\n\nIT General Control Findings and Recommendations \n\n       Configuration Management                                                                     4\n\n\n       Access Control                                                                               4\n\n\n       Security Management                                                                          4\n \n\n\n\nApplication Controls                                                                                7\n \n\n\n\nManagement\xe2\x80\x99s Comments and OIG Response                                                              7\n \n\n\n\n\n                                            APPENDICES\nAppendix                                           Subject                                         Page\n\n   A\t \t     Description of Key FLETC Financial Systems and IT Infrastructure within the Scope of    8\n \n\n            the FY 2010 DHS Financial Statement Audit \n\n   B\t \t     FY 2010 Notices of IT Findings and Recommendations at FLETC \t                           11\n \n\n            \xef\xbf\xbd    Notice of Findings and Recommendations - Definition of Severity Ratings            12\n \n\n   C        Status of Prior Year Notices of Findings and Recommendations and Comparison to          18\n \n\n            Current Year Notices of Findings and Recommendations at FLETC\n \n\n   D        Management Response                                                                     20\n \n\n\n\n\n\nInformation Technology Management Letter for the FLETC component of the FY 2010 DHS \n\n                             Financial Statement Audit \n\n\x0c                                 Department of Homeland Security\n \n\n                            Federal Law Enforcement Training Center \n \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n                             OBJECTIVE, SCOPE AND APPROACH\n\nIn connection with our engagement to audit DHS\xe2\x80\x99 balance sheet as of September 30, 2010 and the related\nstatement of custodial activity for the year then ended, we performed an evaluation of the information\ntechnology general controls (ITGC), at FLETC to assist in planning and performing our audit. The\nFederal Information System Controls Audit Manual (FISCAM), issued by GAO, formed the basis of our\nITGC evaluation procedures. The scope of the ITGC evaluation is further described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\naudit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review\nthat generally should be performed when evaluating general controls and the IT environment of a federal\nagency. FISCAM defines the following five control functions to be essential to the effective operation of\nthe general IT controls environment.\n\n\xef\xbf\xbd\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\xef\xbf\xbd\t Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provides reasonable assurance\n   that systems are configured and operating securely and as intended.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit procedures, we also performed technical security testing for\nkey network and system devices. The technical security testing was performed both over the Internet and\nfrom within select FLETC facilities, and focused on test, development, and production devices that\ndirectly support key general support systems.\n\n\n\n\n   Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n \n\n                                          Page 1 \n \n\n\x0c                                Department of Homeland Security\n \n\n                           Federal Law Enforcement Training Center \n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n\nIn addition to testing FLETC\xe2\x80\x99s general control environment, we performed application control tests on a\nlimited number of FLETC\xe2\x80\x99s financial systems and applications. The application control testing was\nperformed to assess the controls that support the financial systems\xe2\x80\x99 internal controls over the input,\nprocessing, and output of financial data and transactions.\n\n   \xef\xbf\xbd\t Application Controls (APC) - Application controls are the structure, policies, and procedures that\n      apply to separate, individual application systems, such as accounts payable, inventory, or payroll.\n\n\n\n\n   Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n \n\n                                          Page 2 \n \n\n\x0c                                 Department of Homeland Security\n \n\n                            Federal Law Enforcement Training Center \n \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2010, FLETC took corrective action to address prior year IT control weaknesses. For\nexample, FLETC made improvements over configuration management in Momentum and the Glynco\nArea Network (GAN) and management review over Momentum auditing logs. However, during FY\n2010, we continued to identify IT general control weaknesses that could potentially impact FLETC\xe2\x80\x99s\nfinancial data. The most significant weaknesses from a financial statement audit perspective were related\nto the GAN logical access controls and weaknesses over physical security and security awareness.\nCollectively, the IT control weaknesses limited FLETC\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these weaknesses negatively impacted the internal controls over FLETC financial reporting and\nits operation and contribute to a material weakness at the department level under standards established by\nthe American Institute of Certified Public Accountants. In addition, based upon the results of our test\nwork, we noted that FLETC did not fully comply with the requirements of the Federal Financial\nManagement Improvement Act (FFMIA).\nOf the six findings identified during our FY 2010 testing, one was a new IT finding. These findings\nrepresent control deficiencies in three of the five FISCAM key control areas. The FISCAM areas\nimpacted include configuration management, security management, and access controls. The specific\nweakness were 1) lack of management and review of system audit logs, 2) ineffective account\nmanagement issues involving user profiles, and account lockout, and 3) inadequately trained personnel on\nbasic security management policies and procedures. These control deficiencies may increase the risk that\nthe confidentiality, integrity, and availability of system controls and FLETC financial data could be\nexploited thereby compromising the integrity of financial data used by management as reported in DHS\xe2\x80\x99\nconsolidated financial statements. While the recommendations made by KPMG should be considered by\nFLETC, it is the ultimate responsibility of FLETC management to determine the most appropriate\nmethod(s) for addressing the weaknesses identified based on their system capabilities and available\nresources.\n\n\n\n\n   Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n \n\n                                          Page 3 \n \n\n\x0c                                 Department of Homeland Security\n \n\n                            Federal Law Enforcement Training Center \n \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n\n            IT GENERAL CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\nDuring the FY 2010 DHS financial statement audit, we identified the following IT and financial system\ncontrol deficiencies at FLETC that in the aggregate contribute to the IT material weakness at the\nDepartment level.\n\n\nConfiguration Management\n\n\xef\xbf\xbd\t Momentum and GAN changes are not being documented throughout the change control process from\n   the testing of changes to the final approval of the changes prior to implementation, and;\n\xef\xbf\xbd\t Distribution and implementation of Momentum and GAN changes are not being controlled.\n\nAccess Control\n\n\xef\xbf\xbd\t Weak logical access controls over the GAN were noted as follows:\n        \xef\xbf\xbd\t The GAN resets the account failed logon counter after 20 minutes, which does not meet the\n           DHS 4300A requirement of 24 hours. Upon notification, FLETC immediately remediated the\n           configuration issue, therefore, no recommendation will be offered for this issue.\n\xef\xbf\xbd\t GAN security violation audit logs lack management review and signoff.\n\xef\xbf\xbd\t Momentum user profile creation or modification is not logged or tracked.\n\xef\xbf\xbd\t Weak logical access controls over the Student Information System (SIS) were noted as follows:\n       \xef\xbf\xbd\t Password length is configured to a minimum of 6, which does not meet the DHS 4300A\n          requirement of 8.\n       \xef\xbf\xbd\t SIS is not configured to reset the account failed logon counter, which does not meet the DHS\n          4300A requirement of a reset every 24 hours.\n       \xef\xbf\xbd\t User lockout occurs after 6 invalid attempts (only 3 attempts permitted per DHS 4300A).\n       \xef\xbf\xbd\t A sample of audit logs that track changes to system data could not be provided.\n       \xef\xbf\xbd\t User profile creation is not tracked and a listing of profile creation dates could not be\n          provided.\n       \xef\xbf\xbd\t Periodic review of user accounts is not being performed.\n\nSecurity Management\n\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of IT\nsecurity. These non-technical IT security aspects included physical access to media and equipment that\nhoused financial data and information residing within a FLETC employee\xe2\x80\x99s or contractor\xe2\x80\x99s work area,\nwhich could be used by others to gain unauthorized access to systems housing financial information. The\n\n   Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n \n\n                                          Page 4 \n \n\n\x0c                                   Department of Homeland Security\n\n                              Federal Law Enforcement Training Center \n\n                               Information Technology Management Letter\n                                          September 30, 2010\n\ntesting was performed at various FLETC locations that process and/or maintain financial data. The\nspecific results are listed as shown in the following table:\n\n\n                                                  FLETC Locations Tested\n                             IT Office,     Finance    Procurement,      Telecommunications        Total\n   Exceptions Noted           Building       Office,     and SIS,        Facility, Building 94   Exceptions\n                                681         Building    Building 93                               by Type\n                                               66\nUser Name and                    1             3             0                      0                4\nPasswords\nFor Official Use Only            0              0                0                 0                 0\n(FOUO)\nKeys/Badges                      0               0               0                 0                 0\nPersonally Identifiable          0              8*               0                 0                 8\nInformation (PII)\nServer Names/IP                  2              0                0                 0                 2\nAddresses\nLaptops                          0              0                0                 0                 0\nExternal Drives                  0              0                0                 0                 0\nCredit Cards                     0              1                0                 0                 1\nClassified Documents             0              0                0                 0                 0\nOther - Describe                 2              0                0                 0                 2\n                            workstations\n                             logged in\n                                w\\o\n                            screensaver\n                             activated\nTotal Exceptions by              5               12               0                0                17\nLocation\n*37 boxes of PII (names, birth date, address, SS#). Counted as one incident\n\n\n\nRecommendations:\nWe recommend that the FLETC Chief Information Officer and Chief Financial Officer, in coordination\nwith the DHS Office of Chief Financial Officer and the DHS Office of the Chief Information Officer,\nmake the following improvements to FLETC\xe2\x80\x99s financial management systems and associated information\ntechnology security program.\n\nConfiguration Management\nWe recommend that FLETC management update and enforce current procedures to ensure changes are\nfully documented throughout the change control process to include the results of testing the change,\nreview of the change test results, and final approval to proceed with the implementation.\n\n\n\n\n   Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n \n\n                                          Page 5 \n \n\n\x0c                                 Department of Homeland Security\n \n\n                            Federal Law Enforcement Training Center \n \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\nAccess Control\n\xef\xbf\xbd\t Continue with the procurement and deployment of ArcSight Enterprise Security Management (ESM)\n   as a replacement Security Information Management (SIM) solution for audit logging.\n\xef\xbf\xbd\t Develop a Standard Operating Procedure (SOP) to implement management oversight for Momentum\n   access authorizations for user\xe2\x80\x99s profiles created or modified during the fiscal year.\n\xef\xbf\xbd\t Configure or enhance existing automated controls to meet DHS requirements in financial systems.\n   Alternatively, adequate mitigating controls may be relied upon to assure financial data is protected.\n\nSecurity Management\nWe recommend that FLETC continue the physical controls enhancements in the Finance Division,\nBuilding 66. In addition, develop a Standard Operating Procedure (SOP) to address Safeguarding of PII\nand Credit Card data in the Finance Division, implement use of the secure file storage rooms, and address\nentry controls for access points in the building.\n\n\n\n\n   Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n \n\n                                          Page 6 \n \n\n\x0c                                Department of Homeland Security\n \n\n                           Federal Law Enforcement Training Center \n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n\n\n                                   APPLICATION CONTROLS\n\nWe did not identify any findings in the area of application controls during the fiscal year 2010 FLETC\naudit engagement.\n\n\n                   MANAGEMENT\xe2\x80\x99S COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from FLETC\xe2\x80\x99s Chief Information\nOfficer. Generally, FLETC management agreed with our findings and recommendations.\nFLETC management has developed a remediation plan to address these findings and\nrecommendations. A copy of the comments is included in Appendix D.\n\nOIG Response\n\nWe agree with the steps that FLETC management is taking to satisfy these recommendations.\n\n\n\n\n   Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n \n\n                                Financial Statement Audit \n \n\n                                          Page 7 \n \n\n\x0c                                                                           Appendix A\n                          Department of Homeland Security\n \n\n                     Federal Law Enforcement Training Center \n \n\n                      Information Technology Management Letter\n                                 September 30, 2010\n\n\n\n\n                                   Appendix A\n\n\nDescription of Key FLETC Financial Systems and IT Infrastructure\n within the Scope of the FY 2010 DHS Financial Statement Audit\n\n\n\n\n Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n\n                              Financial Statement Audit \n \n\n                                        Page 8 \n \n\n\x0c                                                                                              Appendix A\n                                 Department of Homeland Security\n                            Federal Law Enforcement Training Center\n                             Information Technology Management Letter\n                                        September 30, 2010\n\nBelow is a description of significant FLETC financial management systems and supporting IT\ninfrastructure included in the scope of the DHS Financial Statement Audit.\n\nFinancial Accounting and Budgeting System (FABS)\n\xef\xbf\xbd\t Processing Location: FLETC Headquarters in Glynco, GA\n\nGeneral System Description:\nThe FLETC FABS application is an all-in-one financial processing system. It functions as the\ncomputerized accounting and budgeting system for FLETC. The FABS system exists to provide all of the\nfinancial and budgeting transactions in which FLETC is involved. The FABS environment primarily\nconsists of the latest version of the Momentum version 6.1 COTS software, an Oracle 10g database and\nits companion Oracle 10.2 Database Management System (DBMS). An application called \xe2\x80\x9cTuxedo,\xe2\x80\x9d also\nresides on a separate server. The Tuxedo middleware holds 67 executable files. These files are scripts that\nprocess daily information and are not directly accessible by users. The FABS application and servers\nreside on the FLETC LAN in a Hybrid physical network topology and are accessible from four sites:\nGlynco, GA, Washington D.C., Artesia, New Mexico, and Cheltenham, MD.\n\xef\xbf\xbd\t Hardware: Hewlett Packard ProLiant BL465c Blade Servers (web and application) and Hewlett\n   Packard ProLiant BL685c Blade Servers (database)\n\xef\xbf\xbd\t Operating System: Microsoft Windows 2003 Server running on virtual machines on top of VMware\n   Infrastructure 3.5 Enterprise hypervisor on the web and application servers\n\xef\xbf\xbd\t Database: Red Hat Enterprise Linux\n\xef\xbf\xbd\t Security Software: FABS system does not currently have a firewall scheme and resides on FLETC\n   LAN that has a firewall in place\nInterfaces:\n\xef\xbf\xbd\t   National Finance Center (NFC) Payroll System\n\xef\xbf\xbd\t   Student Information System\n\xef\xbf\xbd\t   Treasury Information Executive Repository (TIER)\n\xef\xbf\xbd\t   US Coast Guard Interface\n\xef\xbf\xbd\t   Kansas City Financial Center (KFC)\n\nGlynco Administrative Network\n\xef\xbf\xbd\t Processing Location: FLETC Headquarters in Glynco, GA\n\nGeneral System Description:\nThe purpose of GAN is to provide access to IT network applications and services, to include voice, to\nauthorized FLETC personnel, contractors and partner organizations located at the Glynco, Georgia\nfacility. It provides authorized users access to email, internet services, required applications such as\nFinancial Management Systems (FMS), Procurement systems, Property management systems, Video\nconferencing, and other network services and shared resources.\n\xef\xbf\xbd\t Hardware: Cisco ACS TACAS Server, Avaya 8700 Media Servers, Dell Poweredge servers 1750,\n   1850, 1950, 2650, 2850, 2950, and 6650.\n\xef\xbf\xbd\t Operating System: Windows XP SP2 (Desktop)\n\n     Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n\n                                  Financial Statement Audit \n \n\n                                            Page 9 \n \n\n\x0c                                                                               Appendix A\n                                Department of Homeland Security\n                           Federal Law Enforcement Training Center\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\xef\xbf\xbd   Database: Redhat Linux 4 Enterprise edition\n\xef\xbf\xbd   Security Software: ASA 5500 series firewall and static IP addresses\nInterfaces:\n\xef\xbf\xbd   FMS\n\xef\xbf\xbd   DHS HQ\n\n\n\n\n    Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n \n\n                                 Financial Statement Audit \n \n\n                                          Page 10 \n \n\n\x0c                                                                           Appendix B\n                         Department of Homeland Security\n \n\n                    Federal Law Enforcement Training Center \n \n\n                     Information Technology Management Letter\n                                September 30, 2010\n\n\n\n\n                                  Appendix B \n \n\nFY 2010 Notices of IT Findings and Recommendations at FLETC \n \n\n\n\n\n\nInformation Technology Management Letter for the FLETC Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                      Page 11 \n \n\n\x0c                                                                                            Appendix B\n                                  Department of Homeland Security\n \n\n                             Federal Law Enforcement Training Center \n \n\n                              Information Technology Management Letter\n                                         September 30, 2010\n\n\n\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the\nDHS Consolidated Independent Auditors\xe2\x80\x99 Report.\n\n      1 \xe2\x80\x93 Not substantial \n \n\n      2 \xe2\x80\x93 Less significant \n \n\n      3 \xe2\x80\x93 More significant \n \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity\nfor consolidated reporting purposes.\n\nThese ratings are provided only to assist the DHS in prioritizing the development of its corrective action\nplans for remediation of the deficiency.\n\n\n\n\n   Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n \n\n                                Financial Statement Audit \n \n\n                                         Page 12 \n \n\n\x0c                                                                                                                                  Appendix B\n                                                 Department of Homeland Security\n \n\n                                            Federal Law Enforcement Training Center \n\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n                                       Notice of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n NFR                                                                                                                      New     Repeat   Severity\n                               Condition                                          Recommendation\n #No                                                                                                                      Issue    Issue    Rating\nFLETC\xc2\xad     During our FY 2010 review of FLETC\xe2\x80\x99s configuration      The FLETC management will update and enforce            X                   2\nIT-10-01   management policies and procedures, we noted that       current procedures to ensure changes are fully\n           FLETC does not conduct the following:                   documented throughout the change control process\n           \xef\xbf\xbd Momentum and GAN changes are not being                to include the results of testing the change, review\n              documented throughout the change control             of the change test results, and final approval to\n              process from the testing of changes to the final     proceed with the implementation.\n              approval of the changes prior to implementation,\n              and;\n           \xef\xbf\xbd Distribution and implementation of Momentum\n              and GAN changes are not being controlled.\n\nFLETC\xc2\xad     During the FY 2009 financial statement audit, we        Due to remediation of this finding within the fiscal             X          3\nIT-10-02   noted several weaknesses with the logical access        year, no recommendation is required.\n           controls for the GAN.\n\n           During our review in FY2010, we reviewed the logical\n           access controls over the GAN. Per our review, we\n           noted that FLETC has remediated all of the logical\n           access controls over the GAN; however, KPMG noted\n           that the GAN was configured to reset the lockout\n           counter after 20 minutes. This does not meet the DHS\n           4300A requirement of 24 hours. Upon notification,\n           FLETC immediately remediated the configuration\n           issue. However, the configuration was inappropriately\n           configured for the majority of the fiscal year.\n\nFLETC\xc2\xad     In FY 2009, KPMG conducted After-Hours                  Finance Division, Building 66 Safeguarding of PII                X          3\nIT-10-03   walkthrough testing to complement our IT audit          and Credit Card data: Modifications to Building\n           testing efforts as part of the FY 2010 DHS Financial    66 have recently been completed which provide\n           Statement Audit and Audit of Internal Control over      secure file storage rooms and entry controls for all\n           Financial Reporting. We also performed after-hours      access points in the building.        A Standard\n  Information Technology Management Letter for the FLETC Component of the FY 2010 DHS Financial Statement Audit \n\n                                                     Page 13 \n \n\n\x0c                                                                                                                                     Appendix B\n                                                   Department of Homeland Security\n \n\n                                              Federal Law Enforcement Training Center \n \n\n                                               Information Technology Management Letter\n                                                          September 30, 2010\n\n NFR                                                                                                                         New     Repeat   Severity\n                                 Condition                                            Recommendation\n #No                                                                                                                         Issue    Issue    Rating\n           physical security testing to identify risks related to      Operating Procedure (SOP) will be drafted to\n           non-technical aspects of IT security. These non\xc2\xad            address Safeguarding of PII and Credit Card data\n           technical IT security aspects include physical access to    in the Finance Division, implement use of the\n           equipment that houses financial data and information        secure file storage rooms, and address entry\n           residing on the desks of FLETC personnel, which             controls for access points in the building. This\n           could be used by others to inappropriately access           will be developed and implemented by November\n           financial information.                                      15, 2010. Additionally, specific requirements for\n                                                                       Safeguarding of PII and Credit Card data will be\n           For our review in FY 2010 follow up test work was           added to each Finance Division employee\xe2\x80\x99s\n           performed at various FLETC buildings in the Glynco,         FY2011 (and future) Annual Performance Work\n           Georgia complex. The designated FLETC Technical             Plan to ensure there is no misunderstanding\n           Point of Contact and representatives from the DHS           regarding each employee\xe2\x80\x99s responsibilities in this\n           Office of Inspector General, the DHS Office of              area.\n           Information Security, and the FLETC Office of\n                                                                       Finance Office, Building 66 User Name and\n           Physical Security accompanied KPMG to monitor\n                                                                       Passwords: Remedial training will be conducted\n           testing and validate the results. After gaining access to\n                                                                       regarding safeguarding User Name and Passwords.\n           the facilities, we inspected a random selection of desks\n                                                                       Additionally,    specific    requirements      for\n           and offices, looking for items such as improper\n                                                                       safeguarding User Name and Passwords will be\n           protection of system passwords, unsecured\n                                                                       added to each Finance Division employee\xe2\x80\x99s\n           information system hardware, documentation marked\n                                                                       FY2011 (and future) Annual Performance Work\n           FOUO, and unlocked network sessions. Our selection\n                                                                       Plan to ensure there is no misunderstanding\n           of desks and offices was not statistically derived, and\n                                                                       regarding each employee\xe2\x80\x99s responsibilities in this\n           therefore we are unable to project results to the\n                                                                       area.\n           component or department as a whole. We reviewed\n           over 90 desks and cubicles within the four locations.\n                                                                       For the CIO Operations and Support Division\n                                                                       (OSD) in Bldg 681, remedial training will be\n                                                                       conducted to ensure employees and contractors\n                                                                       lock their doors and safeguard sensitive\n                                                                       information. OSD will ensure the workstation\n                                                                       screensaver feature is enabled on its workstations.\n\nFLETC\xc2\xad     During the FY 2009 financial statement audit, KPMG          FLETC\xe2\x80\x99s current SIM solution provides no                        X          2\nIT-10-04   determined that logs of auditable events in the GAN         capability to correlate or aggregate audit logs\n           are not being reviewed to identify potential incidents.     which results in an arduous, un-trackable and\n\n  Information Technology Management Letter for the FLETC Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                     Page 14 \n \n\n\x0c                                                                                                                                    Appendix B\n                                                  Department of Homeland Security\n \n\n                                             Federal Law Enforcement Training Center \n \n\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n NFR                                                                                                                        New     Repeat   Severity\n                                Condition                                           Recommendation\n #No                                                                                                                        Issue    Issue    Rating\n                                                                     unmanageable audit log review process when\n           During our FY 2010 review, KPMG determined that           handling millions of records each day. FLETC is\n           FLETC has implemented the Security Information            currently in the process of procuring ArcSight\n           Management System (SIM) with capabilities to              ESM as a replacement SIM solution to address\n           manage and store logs of auditable events. However,       these and other shortcomings with the current\n           we determined that management does not have a             solution. ArcSight ESM allows for both simplified\n           formal process for reviewing the audit logs on a          and exceptionally complex event correlation rule\n           periodic basis.                                           authorship.\n\n                                                                     FLETC will deploy the ArcSight ESM solution\n                                                                     during FY 2011. Users, such as ISSOs, will be\n                                                                     provided focused dashboards with correlated\n                                                                     information pertinent to their areas of\n                                                                     responsibility. Audit logs will be reviewed as\n                                                                     correlated and aggregated data and can be drilled\n                                                                     down to in detail and reviewed when suspicious or\n                                                                     anomalous records are found. Customized reports\n                                                                     and automated alerts will be configured for each\n                                                                     system and tailored for the audit log reviewer.\n                                                                     Audit logs of access to the SIM itself will also be\n                                                                     generated and reviewed to ensure users such as\n                                                                     ISSO\xe2\x80\x99s and the SOC are utilizing the system and\n                                                                     reviewing audit records and responding to the\n                                                                     configured automated alerts in a timely manner.\n\nFLETC\xc2\xad     During the FY 2009 financial statement audit, KPMG        FLETC has implemented profile logging,                           X          3\nIT-10-05   determined that access control weaknesses existed         however, due to the overwhelming volume of\n           over Momentum access authorizations for user\xe2\x80\x99s            events logged by the system, this has proven to be\n           profiles created or modified during the fiscal year.      unusable in terms of identifying relevant activity.\n                                                                     FLETC is working to better analyze and manage\n           During the FY 2010 financial statement audit, KPMG        the profile logging reports. An SOP will be\n           determined that access control weaknesses still existed   drafted to implement management oversight for\n           over Momentum access authorizations for user\xe2\x80\x99s            Momentum access authorizations for user\xe2\x80\x99s\n           profiles created or modified during the fiscal year.      profiles created or modified during the fiscal year.\n           Specifically, we learned that new users and profile       This process will be developed and implemented\n  Information Technology Management Letter for the FLETC Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                     Page 15 \n \n\n\x0c                                                                                                                              Appendix B\n                                                 Department of Homeland Security\n \n\n                                            Federal Law Enforcement Training Center \n\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                  New     Repeat   Severity\n                                Condition                                         Recommendation\n #No                                                                                                                  Issue    Issue    Rating\n           changes are not being tracked by FLETC.                  by November 30, 2010.\n\nFLETC\xc2\xad     During the FY 2009 financial statement audit, we         FLETC will update the existing Risk Acceptance              X          2\nIT-10-06   noted several weaknesses around access controls for      to include the password exceptions noted in the\n           SIS including:                                           condition.\n               \xef\xbf\xbd SIS is configured to have a password history\n                   of two passwords stored\n               \xef\xbf\xbd SIS is not configured to reset the account\n                   failed logon counter\n               \xef\xbf\xbd Users were not locked out after three invalid\n                   access attempts.\n               \xef\xbf\xbd SIS system administrators share a \xe2\x80\x98root\xe2\x80\x99\n                   username and password to perform\n                   administrative responsibilities.\n               \xef\xbf\xbd A sample of audit logs that track changes to\n                   system data could not be provided.\n               \xef\xbf\xbd User profile creation is not tracked and a\n                   listing of profile creation dates could not be\n                   provided.\n               \xef\xbf\xbd Evidence of periodic review of user accounts\n                   could not be provided.\n\n           In FY 2010, we inquired with FLETC and noted that\n           although some corrective actions have taken place, the\n           following has not yet been implemented.\n                \xef\xbf\xbd Users are not being locked out after three\n                   invalid attempts.\n                \xef\xbf\xbd SIS password length minimum is configured a\n                   minimum of six.\n                \xef\xbf\xbd SIS does not require a combination of\n                   alphabetic, numeric, and special characters.\n                \xef\xbf\xbd Audit logs that track changes to system data\n                   are not being reviewed.\n\n  Information Technology Management Letter for the FLETC Component of the FY 2010 DHS Financial Statement Audit \n\n                                                     Page 16 \n \n\n\x0c                                                                                                         Appendix B\n                                            Department of Homeland Security\n \n\n                                       Federal Law Enforcement Training Center \n\n                                        Information Technology Management Letter\n                                                   September 30, 2010\n\nNFR                                                                                            New       Repeat   Severity\n                          Condition                               Recommendation\n#No                                                                                            Issue      Issue    Rating\n          \xef\xbf\xbd   Profile creation and changes are not being\n              tracked and a listing of profile updates could\n              not be provided.\n          \xef\xbf\xbd   Periodic review of user accounts is not being\n              conducted.\n\n\n\n\nInformation Technology Management Letter for the FLETC Component of the FY 2010 DHS Financial Statement Audit \n\n                                                   Page 17 \n \n\n\x0c                                                                                   Appendix C\n                              Department of Homeland Security\n \n\n                         Federal Law Enforcement Training Center \n \n\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n\n\n\n                                       Appendix C \n \n\n\n  Status of Prior Year Notices of Findings and Recommendations and \n \n\n                            Comparison to \n \n\n  Current Year Notices of Findings and Recommendations at FLETC \n \n\n\n\n\n\nInformation Technology Management Letter for the FLETC Component of the FY 2010 DHS Financial \n\n                                       Statement Audit \n \n\n                                           Page 18 \n \n\n\x0c                                                                                         Appendix C\n                                  Department of Homeland Security\n                             Federal Law Enforcement Training Center\n                              Information Technology Management Letter\n                                         September 30, 2010\n\n\n                                                                                    Disposition\n   NFR No.                                 Description                        Closed         Repeat\n\nFLETC-IT-09-03   Momentum System Software is Not Logged or Reviewed.            X\nFLETC-IT-09-26   System Engineering Lifecycle is not finalized.                 X\nFLETC-IT-09-31   Configuration Management Weaknesses on the Procurement\n                                                                                X\n                 Desktop, Momentum, and GSS.\nFLETC-IT-09-33   Momentum Audit Logs are not Reviewed.                                        10-04\nFLETC-IT-09-34   GAN audit logs are not reviewed.                                             10-05\nFLECT-IT-09-35   Weak access controls around Momentum.                                        10-02\nFLETC-IT-09-36   Ineffective logical access controls over the GAN.                            10-03\nFLETC-IT-09-37   Physical Security and Security Awareness Issues Identified\n                                                                                              10-06\n                 during Enhanced Security Testing.\nFLETC-IT-09-38   Ineffective logical access controls over SIS.                  X\n\n\n\n\n     Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n \n\n                                  Financial Statement Audit \n \n\n                                           Page 19 \n \n\n\x0c                                                                                                                    Appendix D\n                                Department of Homeland Security \n\n                           Federal Law Enforcement Training Center \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n                                                                               FederolLD,,\' \xc2\xa3,ljorcet1JeI,1 Tru\':nin T C""ler\n                                                                               I .S-lw[\'"riJnpnl o[Hom"\'. nri ......llrit)\n                                                                               1131 Chllpel Cnhsing ROlld\n                                                                               G IYll<Oo, C""rJ:U 31 ~ ~4\n\n\n                                                                                                    I d\n                                                             "7~              "~Home                 an\n                                                               1t\'IrkITJtf:\n\n\n\n\n                                                             ~~~ Security\n                                        February 23, 2011\n\n\nMEMORANDUM FOR:              Frank Deffer\n                             Assistant Inspector General\n                             Information Technology Audits\n\nFROM:                        Sandy H. Peav  d .p.f!.fn~-1.\n                             A sistant Dire~Chieflnfdrmation Officer\n                             Chief Infonnation Officer Directorate\n\nSUBJECT:                     Respon e to Dratt Audit Report -Information Technology\n                             Mtmagemenl Let/erJor the Federal Law J!.\'nJorcement \'lraining\n                             Center Component of the FY20J 0 DRS Financial Statement Audit-\n                             For Official Use Only OIG Project No. /! -029-ITA-FLETC\n\nThe Federal Law Enforcement Training Center (FLETC) appreciates your efforts in assessing the\neffectiveness of OUT general Infonnation Technology (IT) controls supporting the FLETC\'s\nfinancial processing environment and related IT illfrastructure. The FL T welcomes your\nobs rvations and recommendations faT ensuring a secw\'e and compliant operational. nvironment.\n\nWe have completed our review ofthe draft management letter from the independent accounting\nfirm ofKPMG LLP (KPMG) titled information Technology Mcmagemenl Leiterfor the Federal\nl.(TW Enforcement Training Center Component\'o/the FY 2010 DHS Financial Stntement Audit-For\nOjju:inl ThI\'. Only and c.oncur with the otic-,e of Finr:1ings and Recommenc1ations (NFRs)- The\nFLETC continues to make progress hy remediating many of it$ prior yeaTS\' IT control weaknesses.\n\nThe FLETC is committed to improving and enhancing the security and integrity of its financiar\nreporting process and 0 eralllT security pOsture.\n\nPoint of contact for additional information or questions is the FLETC Chief Infonnation Security\nOfficer Jeffery W. Johnson, (912) 267-21 "6.\n\ncc:    Director\n       Deputy Director\n       Chief Financial Officer\n\n\n\n\n Information Technology Management Letter for the FLETC Component of the FY 2010 DHS \n \n\n                              Financial Statement Audit \n \n\n                                       Page 20 \n \n\n\x0c                         Department of Homeland Security\n \n\n                    Federal Law Enforcement Training Center \n \n\n                     Information Technology Management Letter\n                                September 30, 2010\n\n               Report Distribution\n\n               Department of Homeland Security\n\n               Secretary\n               Deputy Secretary\n               General Counsel\n               Chief of Staff\n               Deputy Chief of Staff\n               Executive Secretariat\n               Under Secretary, Management\n               Director, FLETC\n               DHS Chief Information Officer\n               DHS Chief Financial Officer\n               Chief Financial Officer, FLETC\n               Chief Information Officer, FLETC\n               Chief Information Security Officer\n               Assistant Secretary for Office of Policy\n               Assistant Secretary for Office of Public Affairs\n               Assistant Secretary for Office of Legislative Affairs\n               DHS GAO OIG Audit Liaison\n               Chief Information Officer, Audit Liaison\n               Audit Liaison, FLETC\n\n               Office of Management and Budget\n\n               Chief, Homeland Security Branch\n               DHS OIG Budget Examiner\n\n               Congress\n\n               Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nInformation Technology Management Letter for the FLETC Component of the FY 2010 DHS\n                             Financial Statement Audit \n \n\n                                      Page 21 \n \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'